* [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2
@ 2026-03-27 18:21 Peter Korsgaard
2026-03-27 19:10 ` Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2026-03-27 18:21 UTC (permalink / raw)
To: buildroot; +Cc: Heiko Thiery, Andrey Yurovsky
Fixes the following security issue:
CVE-2026-34155: Improper Signing of Plain Bundles Exceeding 2 GiB
RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB
cause an integer overflow which results in a signature which covers only the
first few bytes of the payload. Given such a bundle with a legitimate
signature, an attacker can modify the part of the payload which is not
covered by the signature.
Bundles using the recommended 'verity' or 'crypt' formats are not affected.
For more details, see the advisory:
https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx
https://github.com/rauc/rauc/releases/tag/v1.15.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/rauc/rauc.hash | 2 +-
package/rauc/rauc.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/rauc/rauc.hash b/package/rauc/rauc.hash
index ea537c63b6..edfefb5a7b 100644
--- a/package/rauc/rauc.hash
+++ b/package/rauc/rauc.hash
@@ -1,3 +1,3 @@
# Locally calculated after checking pgp signature
-sha256 603dafa5085b6b964c74d5f57a154a1489af2b415dd20c6ff1447815d02c094f rauc-1.15.1.tar.xz
+sha256 127a24cde208c65b837ae978c695a00730f1094ee8b6c7d48cf58ef846eae340 rauc-1.15.2.tar.xz
sha256 20e50fe7aae3e56378ebf0417d9de904f55a0e61e4df315333e632a4d3555d95 COPYING
diff --git a/package/rauc/rauc.mk b/package/rauc/rauc.mk
index ba30c70dad..54974abc09 100644
--- a/package/rauc/rauc.mk
+++ b/package/rauc/rauc.mk
@@ -4,7 +4,7 @@
#
################################################################################
-RAUC_VERSION = 1.15.1
+RAUC_VERSION = 1.15.2
RAUC_SITE = https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)
RAUC_SOURCE = rauc-$(RAUC_VERSION).tar.xz
RAUC_LICENSE = LGPL-2.1
--
2.47.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2
2026-03-27 18:21 [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2 Peter Korsgaard
@ 2026-03-27 19:10 ` Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Julien Olivain via buildroot @ 2026-03-27 19:10 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: buildroot, Heiko Thiery, Andrey Yurovsky
On 27/03/2026 19:21, Peter Korsgaard wrote:
> Fixes the following security issue:
>
> CVE-2026-34155: Improper Signing of Plain Bundles Exceeding 2 GiB
>
> RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB
> cause an integer overflow which results in a signature which covers
> only the
> first few bytes of the payload. Given such a bundle with a legitimate
> signature, an attacker can modify the part of the payload which is not
> covered by the signature.
>
> Bundles using the recommended 'verity' or 'crypt' formats are not
> affected.
>
> For more details, see the advisory:
> https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx
>
> https://github.com/rauc/rauc/releases/tag/v1.15.2
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2
2026-03-27 18:21 [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2 Peter Korsgaard
2026-03-27 19:10 ` Julien Olivain via buildroot
@ 2026-04-03 10:28 ` Thomas Perale via buildroot
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-04-03 10:28 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Thomas Perale, buildroot
In reply of:
> Fixes the following security issue:
>
> CVE-2026-34155: Improper Signing of Plain Bundles Exceeding 2 GiB
>
> RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB
> cause an integer overflow which results in a signature which covers only the
> first few bytes of the payload. Given such a bundle with a legitimate
> signature, an attacker can modify the part of the payload which is not
> covered by the signature.
>
> Bundles using the recommended 'verity' or 'crypt' formats are not affected.
>
> For more details, see the advisory:
> https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx
>
> https://github.com/rauc/rauc/releases/tag/v1.15.2
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to 2026.02.x. Thanks
> ---
> package/rauc/rauc.hash | 2 +-
> package/rauc/rauc.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/rauc/rauc.hash b/package/rauc/rauc.hash
> index ea537c63b6..edfefb5a7b 100644
> --- a/package/rauc/rauc.hash
> +++ b/package/rauc/rauc.hash
> @@ -1,3 +1,3 @@
> # Locally calculated after checking pgp signature
> -sha256 603dafa5085b6b964c74d5f57a154a1489af2b415dd20c6ff1447815d02c094f rauc-1.15.1.tar.xz
> +sha256 127a24cde208c65b837ae978c695a00730f1094ee8b6c7d48cf58ef846eae340 rauc-1.15.2.tar.xz
> sha256 20e50fe7aae3e56378ebf0417d9de904f55a0e61e4df315333e632a4d3555d95 COPYING
> diff --git a/package/rauc/rauc.mk b/package/rauc/rauc.mk
> index ba30c70dad..54974abc09 100644
> --- a/package/rauc/rauc.mk
> +++ b/package/rauc/rauc.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RAUC_VERSION = 1.15.1
> +RAUC_VERSION = 1.15.2
> RAUC_SITE = https://github.com/rauc/rauc/releases/download/v$(RAUC_VERSION)
> RAUC_SOURCE = rauc-$(RAUC_VERSION).tar.xz
> RAUC_LICENSE = LGPL-2.1
> --
> 2.47.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-03 10:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-27 18:21 [Buildroot] [PATCH] package/rauc: security bump to version 1.15.2 Peter Korsgaard
2026-03-27 19:10 ` Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox